Probably all the linux distros are similar in terms of security, however, if you want to have something really secure and reliable go for BSD.

FreeBSD is only about the same as GNU/Linux in those regards, however. The two big advantages it has are a lack of a systemd-like situation (so far) and jails. NetBSD and DragonflyBSD are probably not going to be interesting for the desktop. OpenBSD is great, but with the caveats above.

1 members found this post helpful.

... actually, I would say that "BSD is only perceived as 'secure' because of the particular ('nothing installed by default') packaging, and by good marketing on their part.

A distro is not "secure," any more than a particular prefabricated door at the hardware store is or isn't. Even though the door itself may be strong or not-so strong, it all depends on the wall that you put it in. The fence you put around the yard. And, so on.

(And, whether or not you're standing on the other side of that doorway, holding a loaded Colt .45 ...)

1 members found this post helpful.

No OS is truly secure unless you turn the computer off. If you expose services to the outside world, you open a door. If you do not open any services (ssh, web server, etc) and have adequate firewall protection, malware protection, keep your OS updated and don't do anything stupid, like surf porn, download software from unofficial sources, steal music and movies, you should be fine. Extra layers of protection, such as running read-only are not necessary for most people unless you are doing something illegal or engaged in nefarious activities. It is also a common fallacy that Linux and the BSDs cannot be infected with viruses. Any OS is subject to viruses, it's just a question of whether anyone makes the effort to write a virus for a given OS.

OpenBSD has claims it is the most secure OS. As others have mentioned, that is only because no services are open at initial install and the idea of "most secure OS" is really based on some criteria I am sure the OpenBSD folks came up with. Not knocking OpenBSD, just commenting on their "marketing" claim. I have been using computers with various operating systems for nearly 30 years and I have never gotten a virus, even in windows. A lot of it has to do with your behavior and the things you do online.

Statements made that you should operate your computer in a vacuum and that you need to operate only through the tor browser, read-only, etc, are FUD for the average person. If you engage in criminal hacking, child porn distribution or espionage, those technologies might suite you well but most people (I hope) don't do that.

1 members found this post helpful.

The security of a server has more to do with the sys admin than it does the OS. A windows box can be made more secure than a *nix one if the Windows server is set-up by an expert and the *nix server by a novice. The major things are to look at what layers of security you can add and what vulnerabilities the main services on the servers have. For example if you are running PHP then you might want to disable certain functions such as "exec" to make PHP more secure or if you are running a mail server then you should do open relay tests on it to ensure you aren't hosting an open relay.

That said, when it comes to scripting languages, you also want to make sure the devs are developing secure code... I've seen many a server get hacked because of PHP devs that hadn't heard of sanitizing inputs and completely unawares of things like SQL injections.

2 members found this post helpful.

I thought it makes a 'day/night;1/0' difference IF you have a NON-routable vs. routable IP address. Ref:
Yes, IF some 'malware' gets IN, -it- can make any&all kinds of OUTgoing ...
(maybe think firewall to block outgoing ...)

I have a 192.168.1.2 like address (think Public wifi; yes, others can 'spy' on my traffic)
so ?nothing? can 'connect IN' (unless some malware connects out first).
Is that right? SECURE? (I'm asking for feedback from other LQ'ers here!)
(Doesn't `netstat -tupln` report ALL allowed incoming? Help me learn )

@OP: Which do you have? (public or private IP) Could you 'run ok' with non-routable,
like a Comcast ISP home router, which [wifi] DHCPs 192.168.. (or 10...) addresses
(and 'depend' on that for 'security')?

(once, long ago, I plugged an ethernet cable directly into old cable-modem & got a 'real' IP. Currently, a single external routable IP is 'shared' [NAT] by MANY 192.168.n.* 'in the building'.)

1 members found this post helpful.

M$ talking points keep turning up every year and a half or so. I guess they will do so as long as M$ has research money available, or have they gone back to calling those funds marketing again to match their real use?

Firstly, a firewall does virtually nothing to help security. Either a service can survive on the net on its own or it should not be connected to the net in the first place. Microsofters promote firewalls as a panacea but if it is still allowing MSIE, MSEdge, or MSOutlook to reach out and fetch infections, it is not helping. The same also goes for web browsers on real operating systems. The browsers are the weakest point in the chain, yet in order to function must go out and fetch stuff from the net, including malware.

Anti-virus does very little except lighten your wallet. It is signature-based and, in effect, closing the barn door after the horse has escaped.

• Nimda Worm Shows You Can't Always Patch Fast Enough (2001)

See M$ SQL Slammer worm for a really good example of that. Additionally, is is possible that even the basic premise on which anti-virus software operates can be bypassed. Yes, some scanners can work, to find known infections but only late in the game after the horse has escaped so to speak. Then there is the slovenly and glacially slow approach that vendor has towards actually patching. It is infamous in that regard because a global cottage industry in known, but unpatched, holes has grown into an official beast that includes governments as customers.

About the malware claims, contrary to M$ talking points they are not spread through visiting particular web sites. They are largely spread through javascript- and Flash-based advertising, not any particular class of web site:

• Big-name sites hit by rash of malicious ads spreading crypto ransomware [Updated] (2016)
• Advertising malware rates have tripled in the last year, according to report (2015)

Block scripts from your browser to eliminate that risk. Unless you are on Windows, then there no barrier anyway.

Over on the server, not all services are created equal. Again, on OpenBSD, on the server, things are off by default but that is only the first step. All of the services available in the base distro have multiple mitigation approaches to reduce the attack surface. The most prominent one is their use of privilege separation. That is supplemented with a cleaner, more modular code design. That includes further (currently) advanced mitigation techniques, ahead of other operating system, such as Write XOR eXecute (W^X) memory, syscall restrictions, stack protection, and address space layout randomization (ASLR). Above all they follow the K.I.S.S. principle and reduce moving parts. If it's not there, it can't break. So culling or refactoring old code happens often and there are periodic code audits for the base system. With that in mind, the services provided in their base system (DNS, mail, web, SSH, BGP, packet filter, NTP, IKE, to name some) are quite secure, unless severely misconfigured.

Claims to have run Windows without ever having gotten a virus or other malware are exceedingly dubious and go against all my observations of Windows sites. Such claims are most likely coming from having either a) not actually run Windows, b) misrepresented the case intentionally, c) not bothered to check the machines or have qualified people check them on their behalf, or d) operated under 'C2' conditions with all ports epoxied including floppy drives and no exchange of data possible except output via a paper printer.

The point about using only official repositories for software is an important point. But in cases of essential privacy software like the Tor Browser Bundle, which are not included in such repositories, it is essential to manually check the OpenPGP signature and the checksum.

1 members found this post helpful.

Never buy a computer.
Never plug one in.
Never turn it on.
--
Secure.

And then somebody takes a photo with you in it and uploads it to facebook... d'oh.

Give me any operating system – in the case of Windows, something beyond Home Edition so that I have the tools that are needed – and I can "secure it."

Probably the most important principle is the Principle of Least Privilege. Computers are terrible at saying "yes," but very good at saying "no," so you carefully arrange things so that programs (and especially, users) have access to precisely what they need to do and see, and nothing more. You also devise and impose appropriate limits on their use of system resources.

You also pay close attention to infrastructure: secure backups running all the time, and security updates being applied as soon as they are available.

You quote me and then have the audacity to say my claim that I have never had a virus is 'exceedingly dubious'? I have been a security expert for many years and am very careful about what I do and do not do on the Internet.

Enough said, arguing on the Internet is like chasing smoke.

OK.

Personally I believe that the more best practices you learn and the more you use, the more likely it is that your system will be secure. I am pretty sure running a perimeter firewall has advantages. Pretty sure that running up to date distro is helpful. Running all items in lowest level needed to get job done is good. Not installing any program or service that you don't need is helpful. Enable SElinux is always better I'd think. Going to known or suspected bad sites won't help. Leaving physical access open isn't good. Strong passwords or certificates is useful.

A ton of helpful tips exist on Enterprise level OS sites as well as tech sites. I don't agree with some of them too.

I guess you mean me. Oh really? I am not computer nefarious. I am real life notorious though. Click on my about me I guess to get the idea. I looked at yours and we seem to have common traits. Though I am probably a amateur maybe compared to you.

I am always amused when folks make judgment calls from their own private Idaho on what others do with with their personal computers. I know I did say shady in my previous post. But that was artistic licensing there talking.

In case someone had a shady agenda of their own. You know. When google search brings in a look see into this thread.

Edit: I did at least provide links as a courtesy to people reading this thread also on distros that I personally use to get the results I want.

You should probably do a little research for yourself before making such sweeping ill-informed generalisations.

1 members found this post helpful.

Most malware are delivered via web ie javascript, runs regardless of OS. It can see see the entire contents of home folder and beyond. It can see the decrypted home partition while user is logged in. Encrypting at file-level on the other hand is too inconvenient. So is X desktop environment.

It truly is hard to secure a connected device.